Stream ciphers cower before Adi Shamir’s cube attack

Cryptography is something of a cryptic field, if you’ll forgive the pun. While one researcher erects the walls of a new technique, another tries to smash it to pieces. Seemingly counterintuitive, near-simultaneous construction and compromise of encryption techniques ensures that only the fittest algorithms survive to safeguard sensitive bits.

Adi Shamir brought a big new wrecking ball to bear on stream ciphers at Crypto2008, the 28th International Cryptology Conference, one that will send architects of the algorithms back to their keyboards. Cryptographers view stream ciphers as the vanguard of encryption for embedded systems, so Shamir’s new class of attack was a "wake up call" for the field, said David Wagner, the conference's program chair and associate professor of computer science at the University of California, Berkeley.

Shamir and coauthor Itai Dinur presented their "cube attack"—so named because of its basic form in three dimensions—in a talk last week at the conference. While a more-detailed paper is still forthcoming, Shamir and Dinur's work was the talk of the conference. And with good reason: Shamir is cryptographic royalty, having invented the RSA algorithm with Ron Rivest and Leonard Aldeman almost 30 years ago.

Researchers at the conference were stunned with the cube attack’s simplicity and efficacy. "There were lots of people like me who slapped their foreheads and said, 'Why didn't I think of that!'" Wagner told Ars.

Thomas Jefferson's cipher has not been
tested by Shamir's cube attack

Stream ciphers are not meant to be military-grade encryption schemes (although they were used by the military as recently as the 1980s), but one of their possible weakness was heretofore unexploitable. Stream ciphers employ symmetric key cryptography, an approach that uses one key for encryption and another closely-related key for decryption. The keys are usually so closely related that they are identical, meaning a compromised key can decrypt encrypted information.

"People knew that for some of these stream ciphers, they could express the output as a formula of the key," Wagner said. A given key's formula, though, is complex. As long as the formula was too long to write down—which many are—experts felt the algorithms were secure.

"What Adi discovered is, well, that isn’t necessarily so," he said.

Shamir and Dinur noticed patterns in the output of certain keys if the output could be expressed as a polynomial. In its original form, the polynomial is unmanageably long. But their attack helps boil the string of variables down to a smaller, more comprehensible size. The shorter formula then leaks bits of the cryptographic key, Wagner said, enabling an attacker to break the encryption and access the data.

Stream ciphers are not used in most desktop computing applications, but rather find applications in devices like cell phones, radio frequency identification (RFID) chips, car key fobs, and other low-end appliances that are not computers per se, but incorporate software. Experts think stream ciphers will be widely used in the embedded market in part due to their efficient approach to encryption.

The cube attack does not pose any risk to currently implemented stream ciphers, but it will certainly influence scientists designing future algorithms.

The genius of Shamir and Dinur's work is it "put [previous attacks] together and extended them in a surprising new way," Wagner said. "We’re still absorbing the consequences of this research."